Mercredi, 27 avril 2016

Second part of my DNS
setup
notes, this time about DNSSEC. The following notes assumes there is already a
running instance of Bind 9 on a Debian Jessie system for an imaginary domain
example.com, served by a name server named ns.example.com.

The version of Bind 9 (9.9.5) on Debian Jessie supports "inline signing" of
the zones, meaning that the setup is much easier than in the tutorials
mentioning dnssec-tools or opendnssec.

Note that the db file must point to a file in /var/cache/bind, not in
/etc/bind. This is because bind will create a db.example.com.signed file
(among other related journal files), constructed from the path of the "file"
entry in the zone declaration, and it will fail doing so if the file is in
/etc/bind, because Bind would attempt to create the .signed file in this
read-only directory.

and place these lines in db.example.com (i.e., the db file for the
parent zone). Change the serial number of the zone in the same file and run

rndc reload

You should then be able to query the DS record with

dig @localhost -t ds home.example.org

You can use Verisign's DNS debugging
tool to check that the signatures
are valid and DNSViz to view the chain of signatures
from the TLD DNS down to your DNS. This also helped me figure out that my zone
delegation was incorrect and caused discrepancies between my primary DNS
server and the secondary server.

Now that I have my own server, I can finally have my own DNS server and my own
domain name for my home computer that has a (single) dynamic IP address.

The following notes assumes there is already a running instance of Bind 9 on a
Debian Jessie system for an imaginary domain example.com, served by a name
server named ns.example.com and you want to dynamically update the DNS
records for home.example.com. This is largely based on the Debian
tutorial on the subject, solving the problem
that bind cannot modify files in /etc/bind.

On the server

Create a shared key that will allow to remotely update the dynamic zone:

dnssec-keygen -a HMAC-MD5 -b 128 -r /dev/urandom -n USER DDNS_UPDATE

This creates a pair of files (.key and .private) with names starting with
Kddns_update.+157+. Look for the value of Key: entry in the .private
file and put that value in a file named /etc/bind/ddns.key with the
following content (surrounding it with double quotes):

In /var/cache/bind create the file db.home.example.com by copying
/etc/bind/db.empty and adapting it to your needs. For convinience, create a
db.home.example.com symbolic link in /etc/bind pointing to
/var/cache/bind/db.home.example.com.

In db.example.com (that is, the parent zone), add a NS entry to delegate
the name home.example.com to the DNS server of the parent zone:

home.example.com NS ns.example.com

You can now reload the bind service to apply the configuration changes.

On the home computer

I decided to use ddclient 3.8.3 because it supports dynamic dns updates
using the nsupdate tool. I backported that version of ddclient manually
from a Debian Testing package; it's written in Perl and the backporting is
trivial.

Copy /etc/bind/ddns.key from the server to /etc/ddns.key on the home
computer (the one running ddclient), ensuring only root can read it. Then add
the following to /etc/ddclient.conf (be careful with the commas, there is no
comma at the end of the second last line):